Last Week in Security (LWiS) - 2022-01-25
PrinterLogic RCEs (@TheParanoids), Java app analysis (@infosec_au), DCSync from Linux (@n00py1), timed race conditions (@itscachemoney), ManageEngine auth bypass (@sourceincite), Windows driver RE methods (@Void_Sec), Sliver 1.5 with BOF support (@LittleJoeTables), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-18 to 2022-01-25.
News
- MoonBounce: the dark side of UEFI firmware. UEFI/SPI firmware malware is very scare, as you can "Wipe The Drive" but it won't get rid of the malware. Check out this PDF for the technical details (PDF) and vx-underground for the samples.
- How I hacked a hardware crypto wallet and recovered $2 million. Joe Grand found that the particular firmware version of the target Trezor was copying the PIN to RA so he voltage glitched the MCU to bypass the debug disable which allowed the key to be read from RAM.
- California public office admits Covid-19 healthcare data breach. Exactly zero people are surprised. Any production database is potentially useful to attackers, this one had lots of personally identifiable information to go after.
- Force Chrome major version to 100 in the User-Agent string. This feels like the exact opposite of zer0ver.
- An Armful of CHERIs. Silicon that can enforce memory safety? I'm intrigued.
- Cyber Risks and Business Interruption Insurance - Merck and International Indemnity v ACE (et al.). TLDR (too legal didn't read in this case): the cyber insurers for Merck - the shipping giant cripped by NotPetya ransomware - tried to claim that the "War or Hostile Acts" exclusion would apply since Russia was behind the NotPetya attack. The court said nope, pay up!
- CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.. Yes, even the unsupported Log4j 1.x branch was vulnerable. If you were on an unsupported version of Log4j you've definitely upgraded in the last month right?
- McAfee Enterprise-FireEye relaunches as Trellix, aims to be ‘market leader’ in XDR. RIP McAfee (x2), and also two vulnerabilities.
Techniques
- Multiple RCE vulns in PrinterLogic Web Stack versions 19.1.1.13 SP9 and below. Check out the technical write up, which takes this week's top spot for it's technical merit but also the section on how PrinterLogic was chosen as a research target. Well done Blaine!
- Solarwinds Web Help Desk: When the Helpdesk is too Helpful. This post has some helpful tips on digging into java applications. Who knows, you just might find hard coded credentials!
- Recovering redacted information from pixelated videos. You've seen static text unbluring, but what about video? If you really want to redact something, black boxes are usually the best answer.
- Adding DCSync Permissions from Linux. If you find yourself on a Linux machine but with an AES key to a computer account with WriteDACL over the domain, you might be able to DCSync.
- ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central. Another Java bug chain, this time on critical remote management software.
- Recovering Randomly Generated Passwords. Yes, randomly generated passwords are very hard to crack, but Hans proves you can do better than a full brute force given time constraints.
- Windows Drivers Reverse Engineering Methodology Paolo sums up his year-long Windows Drivers research and details his methodology for reverse engineering (WDM) Windows drivers. This is a free mini-course on Windows driver RE!
- WMI for Script Kiddies. Nothing groundbreaking, but if you need a one stop shop of WMI knowledge, this is a good candidate.
Tools and Exploits
- chrome-bandit is a proof of concept to show how your saved passwords on Google Chrome and other Chromium-based browsers can easily be stolen by any malicious program on macOS.
- TREVORproxy is a SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses!
- chronorace is a tool to accurately perform timed race conditions to circumvent application business logic. Well timed race conditions can allow for uncovering all kinds of interesting edge cases. Here is a good example.
- RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
- Sliver v1.5.0. This release has a lot of cool changes. My favorite is BOF support!
- FunctionStomping is a new shellcode injection technique. Given as C++ header or standalone Rust program. Currently undetected by hollows-hunter.
- SharpGhosting is Process Ghosting (x64 only) in C#.
- CVE-2021-45467: CWP CentOS Web Panel – preauth RCE. File inclusion + directory traversal = RCE.
New to Me
This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!
- A month ago AWS accidentally gave themselves read access to every S3 bucket for 12 hours. I missed this news. Such a big gaff should have been widely reported?
- VulnLab is a dockerized web vulnerability lab.
- extrude analyzes binaries for missing security features, information disclosure and more.
- serverManager is an IPMI server manager build for Dell 12th gen servers. If you have an R710 or R720 at home you have to give this a try.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.